Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/hashicorp/nomad: GHSA-rqm8-q8j9-662f #1633

Closed
GoVulnBot opened this issue Mar 14, 2023 · 2 comments
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-rqm8-q8j9-662f, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/hashicorp/nomad 1.5.1 = 1.5.0

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/hashicorp/nomad
    versions:
      - introduced: TODO (earliest fixed "1.5.1", vuln range "= 1.5.0")
    packages:
      - package: github.com/hashicorp/nomad
summary: Nomad Job Submitter Privilege Escalation Using Workload Identity
description: |-
    ### Summary
    A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a user with the submit-job ACL capability can submit a job that can escalate to management-level privileges. This vulnerability, CVE-2023-1299, was introduced in Nomad 1.5.0 and fixed in Nomad 1.5.1.

    ### Background
    Nomad 1.4.0 introduced the concept of workload identity so that tasks can access variables without needing to access them through Nomad HTTP API with an ACL token.

    In 1.5.0, the identity block was introduced, which exposes the workload identity token to the workload so it can access Nomad HTTP API via a unix domain socket without configuring mTLS.

    ### Details
    During internal testing, we discovered it was possible to abuse the workload identity to elevate to management-level privilege if the workload identity did not have any attached ACL policies.

    ### Remediation
    Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.5.1 or newer. See Nomad’s Upgrading for general guidance on this process.
cves:
  - CVE-2023-1299
ghsas:
  - GHSA-rqm8-q8j9-662f
references:
  - web: https://nvd.nist.gov/vuln/detail/CVE-2023-1299
  - web: https://discuss.hashicorp.com/t/hcsec-2023-08-nomad-job-submitter-privilege-escalation-using-workload-identity/51389
  - advisory: https://github.com/advisories/GHSA-rqm8-q8j9-662f

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606783 mentions this issue: data/reports: unexclude 20 reports (3)

gopherbot pushed a commit that referenced this issue Aug 20, 2024
  - data/reports/GO-2023-1590.yaml
  - data/reports/GO-2023-1592.yaml
  - data/reports/GO-2023-1596.yaml
  - data/reports/GO-2023-1607.yaml
  - data/reports/GO-2023-1612.yaml
  - data/reports/GO-2023-1613.yaml
  - data/reports/GO-2023-1614.yaml
  - data/reports/GO-2023-1615.yaml
  - data/reports/GO-2023-1616.yaml
  - data/reports/GO-2023-1617.yaml
  - data/reports/GO-2023-1618.yaml
  - data/reports/GO-2023-1619.yaml
  - data/reports/GO-2023-1620.yaml
  - data/reports/GO-2023-1622.yaml
  - data/reports/GO-2023-1627.yaml
  - data/reports/GO-2023-1628.yaml
  - data/reports/GO-2023-1629.yaml
  - data/reports/GO-2023-1630.yaml
  - data/reports/GO-2023-1633.yaml
  - data/reports/GO-2023-1639.yaml

Updates #1590
Updates #1592
Updates #1596
Updates #1607
Updates #1612
Updates #1613
Updates #1614
Updates #1615
Updates #1616
Updates #1617
Updates #1618
Updates #1619
Updates #1620
Updates #1622
Updates #1627
Updates #1628
Updates #1629
Updates #1630
Updates #1633
Updates #1639

Change-Id: I2441a82107b88955ddb98c7d3c55b7b2fe3e3aa7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606783
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants